$9m oracle exploit on Bonzo slashes Hedera TVL by 40%
A manipulated oracle price feed allowed an attacker to drain $9.05 million from decentralized lender Bonzo, wiping out nearly 40% of the total value locked across the Hedera network.
Decentralized lending protocol Bonzo lost an estimated $9.05 million after an attacker exploited a verification flaw in a third-party oracle contract operating on the Hedera network. The breach allowed a single user to manipulate a price feed, artificially inflate their collateral value, and extract significant liquidity from the platform.
According to a preliminary incident report from Bonzo, the attacker initially deposited just 250 SAUCE tokens, an asset with negligible underlying value. The attacker then submitted a falsified price update through a Supra oracle contract. This specific verification flaw within the third-party infrastructure allowed the SAUCE token's HBAR-denominated value to be drastically and fraudulently inflated.
Using this manipulated price as collateral backing, the attacker was able to borrow assets far exceeding the actual value of their deposit. The compromised account withdrew 6.63 million USDC and 34.52 million wrapped HBAR. Based on a reference HBAR price of $0.06998, Bonzo calculated the direct loss from this wallet at approximately $9.05 million.
A secondary wallet also capitalized on the abnormal pricing, borrowing an additional $1 million in assets before the protocol or oracle could rectify the feed. However, this second account subsequently messaged Bonzo through Discord. The wallet operator identified themselves as a white-hat security responder and stated their intention to return the extracted funds. Because of this stated intention, Bonzo excluded the second wallet's activity from its headline loss figure, putting the total principal borrowed during the incident at approximately $10.06 million prior to any recovery.
The security failure has triggered immediate and severe collateral damage across Hedera's decentralized finance ecosystem. Data tracked by DeFLlama indicates that Hedera's total value locked (TVL) fell by nearly 40% within 24 hours of the exploit. The network now holds just $25.7 million in total value locked. Bonzo itself suffered an even more acute contraction, with its protocol TVL plummeting by 77%.
For investors active in decentralized finance, the Bonzo exploit highlights the structural risks inherent in oracle-dependent lending protocols. Oracle manipulation remains a primary vector for capital loss in the sector. Furthermore, the immediate 40% drop in Hedera's aggregate TVL demonstrates how a single isolated smart-contract vulnerability can rapidly erode broader network liquidity and suppress market confidence in an entire blockchain's financial infrastructure.